Hm. Well, I certainly see the logic in your explanation, however,
the client claims to have encountered this before and is confident it
is an apache config error. I will look into the keepalive. Would
you agree with this statement:
"apache servers check to see if the the databits coming are coming
through different subnets."
If the above statement is true, then what does apache do if it
detects different subnets??
R
On Jan 3, 2007, at 4:45 PM, Sander Temme wrote:
On Jan 3, 2007, at 11:51 AM, Robert Denton wrote:
Hi all, I hope someone here can point me in the right direction.
My apache server is dropping connections from a client that load
balances between 2 ISPs. I have been told that this may be a
result of some setting in the httpd.conf file that directs apache
to drop connections when there is a sudden change in destination
IP address. Supposedly this is to help prevent man-in-the-middle
attacks. I am fairly familiar with the httpd.conf contents (or so
I thought I was) and I cannot find anything in there related to
this phenomenon. Does anyone here have any idea what setting in
the config may contribute to this behavior? TIA.
You mean the client-side IP address might change in mid-
transaction? How would Apache learn of this when it occurs? When
Apache receives a request from an IP address, it sends the response
back to that IP address and no others.
The way you describe it, this sounds severely broken. Imagine:
Client sends TCP handshake followed by request from IP 1, server
sends response back to IP 1; Client's connection changes, it sends
subsequent request over existing connection (or so it thinks) but
now the packets arrive from IP 2; Server (not even Apache, but the
underlying OS) sees mid-connections packets from IP 2 that were not
preceded by a TCP handshake, and sends an RST (or silently absorbs
depending on configuration, firewalls, etc.). As I said, broken.
If your client has an AS that may fail over to a different ISP,
it's a different story. However, you should not even notice that
when it happens.
I'd say reduce the KeepAlive timeout or turn off KeepAlive
alltogether to make sure Apache doesn't keep connections open
across such router flaps. Or take the Clue bat to your client.
S.
--
[EMAIL PROTECTED] http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
